FIO00-A. Take care when creating format strings
FIO01-A. Be careful using functions that use file names for identification
FIO02-A. Canonicalize path names originating from untrusted sources
FIO03-A. Do not make assumptions about fopen() and file creation
FIO04-A. Detect and handle input and output errors
FIO05-A. Identify files using multiple file attributes
FIO06-A. Create files with appropriate access permissions
FIO07-A. Prefer fseek() to rewind()
FIO08-A. Take care when calling remove() on an open file
FIO09-A. Be careful with binary data when transferring data across systems
FIO10-A. Take care when using the rename() function
FIO11-A. Take care when specifying the mode parameter of fopen()
FIO12-A. Prefer setvbuf() to setbuf()
FIO13-A. Never push back anything other than one read character.
FIO14-A. Understand the difference between text mode and binary mode with file streams
FIO15-A. Do not create temporary files in shared directories
FIO16-A. Limit access to files by creating a jail
FIO30-C. Exclude user input from format strings
FIO31-C. Do not simultaneously open the same file multiple times
FIO32-C. Do not perform operations on devices that are only appropriate for files
FIO33-C. Detect and handle input output errors resulting in undefined behavior
FIO34-C. Use int to capture the return value of character IO functions
FIO36-C. Do not assume a newline character is read when using fgets()
FIO37-C. Don't assume character data has been read
FIO38-C. Do not use a copy of a FILE object for input and output
FIO39-C. Do not read in from a stream directly following output to that stream
FIO40-C. Reset strings on fgets() failure
FIO41-C. Do not call getc() or putc() with stream arguments that have side effects
FIO42-C. Ensure files are properly closed when they are no longer needed
FIO43-C. Handle temporary files securely
FIO44-C. Only use values for fsetpos() that are returned from fgetpos()
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO00-A |
low |
unlikely |
medium |
P2 |
L3 |
FIO01-A |
medium |
probable |
high |
P4 |
L3 |
FIO02-A |
medium |
unlikely |
high |
P2 |
L3 |
FIO03-A |
medium |
probable |
high |
P4 |
L3 |
FIO04-A |
medium |
probable |
high |
P4 |
L3 |
FIO05-A |
medium |
probable |
medium |
P8 |
L2 |
FIO06-A |
medium |
unlikely |
medium |
P4 |
L3 |
FIO07-A |
low |
unlikely |
medium |
P2 |
L3 |
FIO08-A |
medium |
unlikely |
medium |
P4 |
L3 |
FIO09-A |
low |
unlikely |
medium |
P2 |
L3 |
FIO10-A |
medium |
probable |
medium |
P8 |
L2 |
FIO11-A |
low |
probable |
low |
P6 |
L2 |
FIO12-A |
low |
unlikely |
medium |
P2 |
L3 |
FIO13-A |
medium |
probable |
high |
P4 |
L3 |
FIO14-A |
low |
probable |
medium |
P4 |
L3 |
FIO15-A |
high |
probable |
high |
P6 |
L2 |
FIO16-A |
medium |
probable |
high |
P4 |
L3 |
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO30-C |
high |
likely |
low |
P27 |
L1 |
FIO31-C |
medium |
probable |
medium |
P8 |
L2 |
FIO32-C |
medium |
unlikely |
medium |
P4 |
L3 |
FIO33-C |
high |
unlikely |
medium |
P6 |
L2 |
FIO34-C |
high |
probable |
medium |
P12 |
L1 |
FIO35-C |
low |
unlikely |
medium |
P2 |
L3 |
FIO36-C |
medium |
unlikely |
low |
P6 |
L2 |
FIO37-C |
high |
unlikely |
medium |
P6 |
L2 |
FIO38-C |
low |
probable |
medium |
P4 |
L3 |
FIO39-C |
medium |
probable |
medium |
P8 |
L2 |
FIO40-C |
low |
unlikely |
medium |
P2 |
L3 |
FIO41-C |
low |
unlikely |
medium |
P2 |
L3 |
FIO42-C |
medium |
unlikely |
medium |
P4 |
L3 |
FIO43-C |
high |
probable |
high |
P6 |
L2 |
FIO44-C |
medium |
unlikely |
medium |
P4 |
L3 |
08. Memory Management (MEM) FIO00-A. Take care when creating format strings